We're an educational testing Center (http://www.nite.org.il/index.php/en.html) In the course of evaluating x2go as a possible solution for online testing, we're grappling with the issue of authentication. We need to establish a procedure by which each student has credentials on the server (by some automatic procedure which we still have to implement) and have each student authenticated at login either via user/password or public key. Since the test is one single application, there is no need for a desktop. It appears that providing each student with a username and password on the system is overkill. After all, she will only have to be authenticated once or twice to be tested by the application and then the authentication is expired. We'd greatly appreciate some advice or pointers on which authentication route to pursue for our needs. Thanks, Yitzhak
I don't really understand the problem there. Using an LDAP directory for users and groups, it's very easy to add and remove users from all the servers in your cluster. If you have many users at the time, you'll likely need several servers in any case, which will necessitate the use of an LDAP directory in any case, so it's not overkill. You could of course also use those users and groups in other applications if you have them, such as desktops (be it Windows or some GNU-based OS), webapps, etc.
If this is supposed to be an online testing solution, wouldn't it be wise to require authorization in order to take the test?
Hope that helps.
Jo-Erlend Schinstad
Jo-Erlend Schinstad <joerlend.schinstad@...> writes:
I don't really understand the problem there. Using an LDAP directory for users and groups, it's very easy to add and remove users from all the servers in your cluster. If you have many users at the time, you'll likely need several servers in any case, which will necessitate the use of an LDAP directory in any case, so it's not overkill. You could of course also use those users and groups in other applications if you have them, such as desktops (be it Windows or some GNU-based OS), webapps, etc.
If this is supposed to be an online testing solution, wouldn't it be wise to require authorization in order to take the test?
Hope that helps.
Jo-Erlend Schinstad
You're right Jo. My ignorance is sticking out. I've been with Linux for quite a while, but know little about authorization. Yes. It is absolutely essential that the users be authorized. I'll try to clarify my question: Since there are so many examinees, we need an automated procedure to generate authorization for them. I had thought that granting each her own Linux login would be unnecessary, since all she has to do is access the one application with a browser front end. LDAP sounds like just the thing. Do you know of an application which would automatically generate the necessary (keys?), user authorizations, etc. so we wouldn't have to fiddle with individual user permissions, directories, etc., taking them straight from one default permissions template?
Hi Yitzak,
On Di 27 Jul 2010 17:01:13 CEST Yitzhak Bar Geva wrote:
Since there are so many examinees, we need an automated procedure to generate authorization for them. I had thought that granting each her own Linux login would be unnecessary, since all she has to do is access the one
application with a browser front end.
May be I missed something, but if it is just a browser app that
examinees need to access, why do you want to provide a complete
x-login environment? This means much more hassle to you than just
setting up a secure website.
Wouldn't it be an option just to setup a secure webserver, buy an
official CA-certificate and run your application on you https-webserver?
For automatic LDAP-account generation an algorithm could look like
this and should be very simple:
o people register for an exam
o registration creates a unique registration ID (LDAP-attribute ,,userid'')
o on the registration for people need to enter further personal data (email,
fullname, etc.)
o with all this data you create an LDAP account on your server
o this could be done by creating an LDIF file from the reg form
o or by using python-easyldap (one of my not yet published projects, still
under heavy development):
deb http://packages.das-netzwerkteam.de/debian <codename> main
deb http://packages.das-netzwerkteam.de/ubuntu <codename> main
o problematic is posting the credentials to the user, this is only really
really safe by e-Mail if you use GnuPG encryption etc.
o probably easiest would be to send a password
o once a user has the information to login the examination could start
o with pam_mkhomedir the user's homedir can be created on the server
o use the option skel=... to specify a custom skeleton directory
for the home
o on logout you have to place a hook that disables the LDAP account
(shadowAccount attribute)
o at night there could be a cron script that erases every home that is older
than 24h
Best, Mike
--
DAS-NETZWERKTEAM mike gabriel, dorfstr. 27, 24245 barmissen fon: +49 (4302) 281418, fax: +49 (4302) 281419
eMail-LeseSchreibStunde: wochentags 8h-10h mail: m.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xf...